You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Akhil S Naik (JIRA)" <ji...@apache.org> on 2019/08/06 10:35:00 UTC

[jira] [Assigned] (AMBARI-25347) [Security Vulnerability] SSL enabled Ambari's information exposed to port 8441

     [ https://issues.apache.org/jira/browse/AMBARI-25347?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Akhil S Naik reassigned AMBARI-25347:
-------------------------------------

    Assignee: Akhil S Naik

> [Security Vulnerability] SSL enabled Ambari's information exposed to port 8441
> ------------------------------------------------------------------------------
>
>                 Key: AMBARI-25347
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25347
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-agent, ambari-server
>    Affects Versions: 2.7.3
>         Environment: ambari-2.7.3/ HDP-3.1
>            Reporter: Gyan
>            Assignee: Akhil S Naik
>            Priority: Major
>              Labels: security
>
> Description-- 
> State of Ambari-- Ambari is SSL enabled.
> Issue--
> Below URL's are exposed which can be accessed without getting logged into ambari via port 8441.
> 1-  'https://<ambari_server>:8441/users'
> Example--
> {code:java}
> {
>   "href" : "https://172.25.40.23:8441/users",
>   "items" : [
>     {
>       "href" : "https://172.25.40.23:8441/users/admin",
>       "Users" : {
>         "user_name" : "admin"
>       }
>     }
>   ]
> }
> {code}
>  
>  
> 2-  'https://<ambari_server>:8441/services/AMBARI/components/AMBARI_SERVER' 
> Example--
> {code:java}
> {
>   "href" : "https://172.25.40.23:8441/services/AMBARI/components/AMBARI_SERVER",
>   "RootServiceComponents" : {
>     "component_name" : "AMBARI_SERVER",
>     "component_version" : "2.7.3.0",
>     "server_clock" : 1564744453,
>     "service_name" : "AMBARI",
>     "properties" : {
>       "agent.package.install.task.timeout" : "1800",
>       "agent.stack.retry.on_repo_unavailability" : "false",
>       "agent.stack.retry.tries" : "5",
>       "agent.task.timeout" : "900",
>       "agent.threadpool.size.max" : "25",
>       "ambari-server.user" : "root",
>       "ambari.python.wrap" : "ambari-python-wrap",
>       "api.ssl" : "true",.............................
> {code}
> 3- Using 'https://<ambari_server>:8441/services/AMBARI/components/AMBARI_AGENT' 
>  
> Example-- 
> {code:java}
>   "href" : "https://172.25.40.23:8441/services/AMBARI/components/AMBARI_AGENT",
>   "RootServiceComponents" : {
>     "component_name" : "AMBARI_AGENT",
>     "component_version" : "NOT_APPLICABLE",
>     "service_name" : "AMBARI",
>     "properties" : { }
>   },
>   "hostComponents" : [
>     {
>       "href" : "https://172.25.40.23:8441/services/AMBARI/hosts/c2236-node2.squadron-labs.com/hostComponents/AMBARI_AGENT",
>       "RootServiceHostComponents" : {
>         "component_name" : "AMBARI_AGENT",
>         "host_name" : "c2236-node2.squadron-labs.com",
>         "service_name" : "AMBARI"
>       }
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)